A second iteration of the BadBox botnet has been partially disrupted after impacting over one million Android devices worldwide, bot and fraud protection firm Human Security reports.
First discovered in 2023, the BadBox botnet consisted of low-cost Android devices that came to the shelves with backdoored firmware. These devices, including smartphones, CTV boxes, and tablets, were made by at least one Chinese manufacturer, and some of them were used in public schools in the US.
In December 2024, Germany sinkholed the communication between over 30,000 BadBox-infected media devices and their command-and-control (C&C) servers, but a larger BadBox botnet consisting of over 190,000 devices was discovered shortly after.
Now, Human Security warns that the botnet’s impact has been much larger than initially believed, and that a second iteration, dubbed BadBox 2.0, has infected over one million devices in more than 220 countries.
BadBox 2.0 follows a similar pattern as its predecessor: backdoored Android Open Source Project devices from multiple Chinese manufacturers, including as off-brand tablets, CTV boxes, projectors, and other types of products, are abused by multiple threat actors to commit different types of fraud.
The backdoor is implanted in these products somewhere in the supply chain, fetched from a C&C server upon first boot, or downloaded from a third-party marketplace by the unsuspecting user.
“The BadBox and BadBox 2.0 threat actors exploit software or hardware supply chains or distribute seemingly benign applications that contain ‘loader’ functionality in order to infect these devices and applications with the backdoor,” Human Security notes.
The good news is that the BadBox 2.0 botnet has been partially disrupted through collaboration with Google, Trend Micro, Shadowserver, and other partners. The bad news is that a complete disruption is not yet possible, given that the infection occurs within the supply chain.
The infected devices have been abused for programmatic ad fraud, click fraud, or as residential proxies, enabling malicious activities such as account takeover, account creation, distributed denial-of-service (DDoS) attacks, malware distribution, and one-time password (OTP) theft.
However, the botnet could be abused for other types of malicious activities, given that its operators can load and execute code on the infected devices, thus enabling any functionality they want.
“With the backdoor in place, infected devices could be instructed to carry out any cyberattack a threat actor developed,” Human Security notes.
Four threat actors involved in operating the BadBox 2.0 botnet have been identified, namely SalesTracker Group (likely responsible for the first BadBox botnet), MoYu Group (developed the backdoor), Lemon Group (previously linked to the Guerrilla malware), and LongTV (a Malaysian internet and media company’s brand).
“This wasn’t an attack by a single threat actor, this was a collection of threat actors sharing resources; and not only were they sharing infrastructure from which to support the attack, they shared targets. It was an all-for-one, one-for-all sort of attack,” Human Security notes.
To disrupt the botnet’s activities, ad fraud monetization mitigations were put in place, detection of BadBox-associated behavior was added to Google Play Protect, and publisher accounts associated with the fraud schemes were terminated.
“The fraudsters in this operation attacked the digital advertising ecosystem, compromised the journey from an ad to a website, abused login portals through residential proxy capabilities, and exploited the backdoored devices as a botnet,” the cybersecurity firm notes.
Related: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes
Related: 1,000 Apps Used in Malicious Campaign Targeting Android Users in India
Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities
Related: ‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency Applications
